<policy> Element (Policy)
Specifies one or more SOAP message requirements.
<policy name="unique policy name">
<anonymousForCertificateSecurity />
<mutualCertificate10Security />
<kerberosSecurity />
<mutualCertificate11Security />
<requireActionHeader />
<requireSoapHeader name namespace actor />
<usernameForCertificateSecurity />
<usernameOverTransportSecurity />
</policy>
Attributes and Elements
Attributes
Attribute | Description |
---|---|
name |
Required attribute. Identifies the policy uniquely within the policy file. |
Child Elements
Element | Description |
---|---|
Represents a turnkey security assertion that uses an X509SecurityToken security token to protect SOAP messages. The client is not authenticated. WS-Security 1.1 is required for this assertion. |
|
Represents a turnkey security assertion that uses X509SecurityToken security tokens to authenticate the client and protect SOAP messages. WS-Security 1.0 and 1.1 can be used with this assertion. |
|
Represents a turnkey security assertion that uses a KerberosToken security token to authenticate the client and protect SOAP messages. |
|
Represents a turnkey security assertion that uses X509SecurityToken security tokens to authenticate the client and protect SOAP messages. WS-Security 1.1 is required for this assertion. |
|
Represents a security assertion that requires the presence of the Action header for the ultimate recipient of the SOAP message. |
|
Represents a security assertion that requires the presence of the specified SOAP header in the SOAP message. |
|
Represents a turnkey security assertion that uses a X509SecurityToken security token to protect SOAP messages. The client is authenticated using a UsernameToken security token. WS-Security 1.1 is required for this assertion. |
|
Represents a turnkey security assertion that authenticates the client using a UsernameToken security token. The SOAP message is not encrypted or digitally signed, so a secure transport should be used with this assertion. WS-Security 1.1 or 1.0 can be used with this assertion. |
Parent Elements
Element | Description |
---|---|
Contains the policies for the policy file. |
Remarks
The <policies> Element element can have zero or more policy elements, each of which defines a policy. Each policy element can have one or more child elements. These child elements can be one of the turnkey security assertions (<anonymousForCertificateSecurity> Element, <kerberosSecurity> Element, <mutualCertificate11Security> Element, <usernameOverTransportSecurity> Element, <usernameForCertificateSecurity> Element, <mutualCertificate10Security> Element) or an element defined by a custom policy assertion. For more details about using the turnkey security assertions, see Turnkey Security Assertions. For more details about custom policy assertions, see Custom Policy Assertions.
Example
The following code example demonstrates how to secure a SOAP message exchange using an X509SecurityToken security token for protection and a UsernameToken security token for client authentication. The code example defines a policy named ClientPolicy
that specifies that a X509SecurityToken security token is used to digitally sign the SOAP message, and to encrypt the <body> element of the SOAP message. The keys used to generate the digital signature and encrypt the <body> element are not the same keys, but rather are derived from the same key. In the following code example, the user name and password must be added in code.
<policies>
<extensions>
<extension name="usernameForCertificateSecurity" type="Microsoft.Web.Services3.Design.UsernameForCertificateAssertion, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
<extension name="x509" type="Microsoft.Web.Services3.Design.X509TokenProvider, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
<extension name="requireActionHeader"
type="Microsoft.Web.Services3.Design.RequireActionHeaderAssertion, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
</extensions>
<policy name="ClientPolicy">
<usernameForCertificateSecurity
establishSecurityContext="false"
renewExpiredSecurityContext="true"
signatureConfirmation="false"
protectionOrder="SignBeforeEncrypting"
deriveKeys="true" >
<serviceToken>
<x509
storeLocation="CurrentUser"
storeName="AddressBook"
findValue="CN=WSE2QuickStartServer"
findType="FindBySubjectDistinguishedName" />
</serviceToken>
<protection>
<request
signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody"
encryptBody="true" />
<response
signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody"
encryptBody="true" />
<fault
signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody"
encryptBody="false" />
</protection>
</usernameForCertificateSecurity>
<requireActionHeader />
</policy>
</policies>
See Also
Reference
<policies> Element
<anonymousForCertificateSecurity> Element
<kerberosSecurity> Element
<mutualCertificate11Security> Element
<usernameOverTransportSecurity> Element
<usernameForCertificateSecurity> Element
<mutualCertificate10Security> Element